A common step in deciding whether to grant a request for access to data or services in a network is to authenticate the requesting user. Authentication is the process of establishing or confirming one or more characteristics associated with a user or a request. For example, authentication may include confirming a user's identify or confirming that a request is generated by a particular device. In computer networks, authentication commonly involves the use of passwords. Knowledge of a password is assumed to warrant that the user is authentic. Typically, a user is initially assigned or selects a password, and upon each subsequent use the user must provide the password. A password is considered a first authentication factor because it is something the user knows that presumptively no one else knows.
Since passwords are vulnerable to hackers, security can be improved by adding a second authentication factor. Second authentication factors generally include something the user has (as opposed to something the user knows). Second authentication factors preferably include credentials that can be generated systematically and verified efficiently. Common sources of second authentication factors include smart cards, tokens, and other similar security devices that may be referred to generally as security tokens.
A security token can include one or more secrets that may be shared with an authentication service. The token can use the secret as the basis for generating credentials such as One-Time Passwords (OTPs). An OTP can be a number or alphanumeric string that is generated once and is not reused. The token can generate an OTP and the user can send the OTP to an authentication service. The authentication service generates an OTP using its copy of the secret. The user is authenticated if the OTP determined by the authentication service matches the OTP provided by the user.
Secrets can be stored in numerous different types of devices and used as the basis for generating OTPs. As examples, secrets may be stored in personal computers, notebook computers, cell phones, and other devices. One challenge faced by authentication services is how to provide secrets to these types of devices in a secure and user friendly manner. Users prefer provisioning methods that are user friendly, while authentication services require provisioning methods that are secure. Unlike security tokens, that are typically provisioned with a secret during manufacture, these devices are usually not provisioned with a secret until after purchase by a user. There is a tradeoff between security and usability when using conventional methods of provisioning devices. Secure methods are generally not user friendly, and user friendly methods are generally not secure. This is because secure methods typically require multiple levels of user input for authentication, while user friendly methods require little or no user input for authentication. Authentication to acquire a secret generally requires confirmation that the request is associated with a particular device. For example, a mobile device such as a cell phone may be required to provide information that confirms it generated a request for a secret.
Thus, there is a general need in the art for improved methods and apparatus for provisioning devices with secrets.